Who’s Responsible For Cyber Insurance Policy Misrepresentations? It Depends.
On July 6, 2022, the Travelers Property Casualty Company of America (Travelers Insurance) filed a suit in an Illinois federal court against International Control Services, Inc. (ICS) asking for policy rescission and declaratory judgment against ICS. Travelers alleges that ICS misrepresented its use of multifactor authentication (MFA) on its policy application, which should be sufficient legal grounds to deny payment on ICS’s ransomware claim and void the policy entirely. If this reads like legalese, that’s because cyber insurance policies are legally binding agreements and application “errors or omissions” nullify contracts.
Failure To Validate Attestations Is Costly, For Both Parties
ICS applied for a cyber insurance policy after a compromised username/password resulted in a ransomware attack in December 2020. In its application, ICS disclosed the previous incident and said it had made cybersecurity improvements since then. After a second ransomware attack in May 2022 and subsequent claim for payment, a claims investigation uncovered that at the time of the second attack, as well as when the policy was requested, MFA was deployed to protect its firewall but not other digital assets.
A reliance on questionnaires and clarifying questions is common. Also common is no mention of any requirements for ongoing monitoring or evidence that requirements are met. Travelers’ MFA attestation outlined specifics for MFA requirements across numerous areas with a yes/no response. For ICS, a judgement against it could make it uninsurable, which is a costly business proposition. It could also weaken customer trust, opening ICS up to increased scrutiny in the form of third-party risk assessments, requests for attestation of security practices, and potential loss of business.
The Pressure Increases For Insureds And Insurers, Priming The Market For Change
What makes this suit interesting and potentially consequential to the cyber insurance market is twofold: (1) The demand for cyber insurance is at an all-time high, with demand for coverage exceeding supply of policies and (2) years of handing out policies like Oprah handing out free cars, followed by an exponential increase in claim frequency and severity, has left insurers in a profitability pickle and diligently seeking to limit their risk exposure.
The judgment on this case will set precedent for future cases and impact the cyber insurance market on both the supply and the demand side. It also raises critical questions about the effectiveness of current risk management and due diligence practices in the underwriting process. But it doesn’t change the fact that, today, more firms want cyber insurance coverage than insurers can or have appetite to underwrite — which means that the insurers are holding all the cards and, likely, most of the risk. So regardless of the outcome of this suit, we’ll expect to see market shifts, including:
- Elevated roles for other players in the cyber insurance ecosystem. Brokers will take on a stronger consultative and advisor role to help insureds best position themselves when applying for policies. Tech providers of data risk insights such as BitSight, Black Kite, and DynaRisk will have a more prominent role and go more in depth with helping insureds and insurance carriers understand risk exposure — before applying for a policy, during underwriting, and through the life of an insured’s policy. Services providers that provide independent audits, ransomware readiness assessments, and penetration testing will see greater demand as their deliverables serve as inputs for risk assessment, decision-making, and recommendations for security program improvements.
- Expanded market opportunities for security services and monitoring tools. Combination offerings of security services plus cyber insurance (such as Resilience) as well as alliances like AT&T, Lockton, and CNA already exist today, primarily targeting small and midmarket companies, where this need is greatest and likely to expand. In countries like Japan, monitoring requirements already exist for cyber insurance.
- Stronger stakeholder collaboration and due diligence for insurance questionnaires and attestations. This is required to make an already challenging process of responding to larger questionnaires and tighter insurer requirements go more smoothly, increasing your chances of acquiring and renewing coverage.
- Increased ongoing monitoring and verification from insurers. Travelers will undoubtedly learn from this experience and seek to reduce its risks of similar scenarios in the future. Tighter requirements, changes to attestation language, request for evidence to support attestations, and burden of proof on applicants, as well as monitoring or services provider partnerships, will likely be on the table as considerations for certain customer segments.
Without question, the cyber insurance market is hot, dynamic, and has evolved from a “nice to have” to a “must have” for businesses and government agencies. For more on the cyber insurance market, look for our upcoming research reports on the tech exec’s guide to cyber insurance and general cyber insurance Q&A.